[Federal Register: March 10, 2003 (Volume 68, Number 46)]
[Notices]
[Page 11432-11435]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr10mr03-95]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-47441; File No. SR-NASD-2002-108]
Self-Regulatory Organizations; Notice of Filing of Amendment Nos.
1, 2, and 3 to a Proposed Rule Change by the National Association of
Securities Dealers, Inc. Relating to Business Continuity Plans and
Emergency Contact Information
March 4, 2003.
Pursuant to section 19(b)(1) of the Securities Exchange Act of 1934
(``Act'') \1\ and Rule 19b-4 thereunder,\2\ the National Association of
Securities Dealers, Inc. (``NASD''), on August 7, 2002, filed with the
Securities and Exchange Commission (``Commission''), a proposed rule
change to require its members to establish and maintain business
continuity plans. The Commission published the proposed rule change in
the Federal Register on September 9, 2002.\3\ The Commission received
three comments in response to the Original Notice. The NASD submitted
amendments to the proposed rule change on December 12, 2002; \4\
January 8, 2003; \5\ and February 19, 2003.\6\ The Commission is
publishing this notice of Amendment Nos. 1, 2, and 3 to solicit
comments on the proposed rule change, as amended, from interested
persons.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Securities Exchange Act Release No. 46444 (August 30, 2002),
67 FR 57257 (``Original Notice'').
\4\ See letter from Brian J. Woldow, Office of General Counsel,
NASD, to Katherine A. England, Division of Market Regulation,
Commission, dated December 11, 2002 (``Amendment No. 1'').
\5\ See letter from Brian J. Woldow, Office of General Counsel,
NASD, to Katherine A. England, Division of Market Regulation,
Commission, dated January 8, 2003 (``Amendment No. 2'').
\6\ See letter from Brian J. Woldow, Office of General Counsel,
NASD, to Katherine A. England, Division of Market Regulation,
Commission, dated February 19, 2002 (``Amendment No. 3'').
---------------------------------------------------------------------------
I. Self-Regulatory Organization's Statement of the Terms of Substance
of the Proposed Rule Change
The NASD is proposing to clarify that the proposed rule change,
which would require member firms to create and maintain business
continuity plans and to provide the NASD with certain information to be
used in the event of future significant business disruptions, also
would require members' business continuity plans to be reasonably
designed to enable members to continue their business in the event of a
significant business disruption. Below is the text of the proposed rule
change, as amended. The base rule text is that proposed in the Original
Notice. Language added by Amendments Nos. 1, 2 and 3 is italicized;
language deleted by the amendments is in brackets.
* * * * *
3500. Emergency Preparedness
3510. Business Continuity Plans
(a) Each member must create and maintain a written business
continuity plan identifying procedures [to be followed in the event of]
relating to an emergency or significant business disruption. Such
procedures must be reasonably designed to enable the member to continue
its business in the event of future significant business disruptions.
The business continuity plan must be made available promptly upon
request to NASD staff.
(b) Each member must update its plan in the event of any material
change to the member's operations, structure, business, or location.
Each member must also conduct an annual review of its business
continuity plan to determine whether any modifications are necessary in
light of changes to the member's operations, structure, business, or
location.
(c) The [requirements of] elements that comprise a business
continuity plan are flexible and may be tailored to the size and needs
of a member. Each plan, however, must at a minimum, address:
(1) Data back-up and recovery (hard copy and electronic);
(2) All mission critical systems;
(3) Financial and operational assessments;
(4) Alternate communications between customers and the member;
(5) Alternate communications between the member and its employees;
(6) Business constituent, bank, and counter-party impact;
(7) Regulatory reporting; and
(8) Communications with regulators.
Each member must address the above-listed categories to the extent
applicable and necessary to enable the member to continue its business
in the event of a future significant business disruption. If any of the
above-listed categories is not applicable, the member's business
continuity plan need not address the category. The member's business
continuity plan, however, must document the rationale for not including
such category in its plan. If a member relies on another entity for any
one of the above-listed categories or any mission critical system, the
member's business continuity plan must address this relationship.
(d) Members must designate a member of senior management to
[[Page 11433]]
approve the plan and he or she shall be responsible for conducting the
required annual review. The member of senior management must also be a
registered principal.
[d](e) For purposes of this rule, the following terms shall have
the meanings specified below:
(1) ``Mission critical system'' means any system that is necessary,
depending on the nature of a member's business, to ensure prompt and
accurate processing of securities transactions, including, but not
limited to, order taking, order entry, execution, comparison,
allocation, clearance and settlement of securities transactions, the
maintenance of customer accounts, access to customer accounts and the
delivery of funds and securities.
(2) ``Financial and operational assessment'' means a set of written
procedures that allows a member to identify changes in its operational,
financial, and credit risk exposures.
3520. Emergency Contact Information
(a) Each member shall report to NASD, via such electronic or other
means as NASD may require, prescribed emergency contact information for
the member. Among other things, t[T]he emergency contact information
for the member includes designation of two emergency contact persons.
Each emergency contact person shall be a member of senior management
and a registered principal of the member.
(b) Each member must promptly update its emergency contact
information, via such electronic or other means as NASD may require, in
the event of any material change[, but at a minimum must review the
information contained therein twice a year to ensure its accuracy].
* * * * *
II. Self-Regulatory Organization's Statement of the Purpose of, and
Statutory Basis for, the Proposed Rule Change
In its filing with the Commission, the NASD included statements
concerning the purpose of and basis for the proposed rule change and
discussed any comments it received on the proposed rule change. The
text of these statements may be examined at the places specified in
Item IV below. The NASD has prepared summaries, set forth in Sections
A, B, and C below, of the most significant aspects of such statements.
A. Self-Regulatory Organization's Statement of the Purpose of, and
Statutory Basis for, the Proposed Rule Change
1. Purpose
The purpose of Amendment No. 3 is to clarify that the language of
proposed NASD Rule 3510 is intended to require not only that members
conduct a planning process to create a written business continuity
plan, but also that the plan resulting from this process be reasonably
designed to enable members to continue their business in the event of a
future significant business disruption.
As described in detail in the Original Notice, following the tragic
events of September 11, 2001, and after an extensive survey of the
business continuity practices of members, the NASD proposed two new
rules, Rules 3510 and 3520. Proposed NASD Rule 3510 would require
members to create and maintain business continuity plans. In developing
this rule, the NASD recognized the diversity in size, structure,
operations, and business of its members. Each member's plan would be
required, at a minimum, to address eight areas specified in the
proposed rule change, which the NASD believes are essential to a
broker-dealer's business continuity plan.
Proposed NASD Rule 3510 also would require members to update their
business continuity plans based on any material change to the member's
operations, structure, business, or location. In addition, members
would be required to conduct an annual review of their plans to
determine whether any modifications are needed in light of any changes
to the member's operations, structure, business, or location. Finally,
members would be required to designate a member of senior management to
approve the plan and conduct the annual review.
The NASD's experience in the aftermath of September 11th also
confirmed that the NASD needs a fully reliable means of contacting
firms in the event of an emergency. Proposed NASD Rule 3520 would
require members to file and keep current with the NASD certain key
information that would be of particular importance during significant
business disruptions, including:
[sbull] Emergency contact information for key staff;
[sbull] Identification of two designated contact persons;
[sbull] Location of books and records (including back-up
locations);
[sbull] Clearance and settlement information;
[sbull] Identification of key banking relationships; and
[sbull] Alternative communication plans for investors.
The purpose of Amendment No. 3 is to address concerns that a
literal reading of proposed NASD Rule 3510, as set forth in the
Original Notice, could suggest that the rule would require members only
to create, maintain, and periodically review a business continuity
plan, but would not require that members' plans be effective in
enabling members to continue their business in the event of a future
significant business disruption. The NASD did not intend to propose a
rule of such limited scope. In this regard, in its description of the
purpose of the proposed rule change, the NASD stated that ``[t]he
purpose of the proposed rule change is to help to ensure that NASD
members will be able to continue their business in the event of future
significant business disruptions.'' The NASD believes that members
should be obligated to develop a business continuity plan that is
reasonably designed, in light of particular characteristics of the
firm, to allow the firm to recover as early as practicable in the event
of a future significant business disruption.
Therefore, the NASD is proposing to amend proposed NASD Rules
3510(a) and 3510(c) to clarify that the rule is intended to require not
only that members conduct a planning process to create a written
business plan, but also that the plan resulting from this process be
reasonably designed to enable the member to continue its business in
the event of future significant business disruptions. The NASD notes
that the amended rule language is consistent with NASD rules in other
areas where reasonableness standards have been adopted because the
diversity of the NASD's membership made specific standards
impracticable.\7\ The NASD believes that, in light of the concerns
regarding the clarity of the original proposed rule text, this
amendment to the proposed rule change should be published for comment
to ensure that interested persons are given notice of the clarification
and an opportunity to comment thereon.
---------------------------------------------------------------------------
\7\ See, e.g., NASD Rules 3010 (Supervision) and 3011 (Anti-
Money Laundering Compliance Program).
---------------------------------------------------------------------------
2. Statutory Basis
The NASD believes that the proposed rule change, as amended, is
consistent with the provisions of section 15A(b)(6) of the Act,\8\
which requires, among other
[[Page 11434]]
things, that the NASD's rules be designed to prevent fraudulent and
manipulative acts and practices; to promote just and equitable
principles of trade; and, in general, to protect investors and the
public interest. The NASD believes that the proposed rule change, as
amended, which would help to ensure that members are prepared for
significant business disruptions, is consistent with those purposes.
---------------------------------------------------------------------------
\8\ 15 U.S.C. 78o-3(b)(6).
---------------------------------------------------------------------------
B. Self-Regulatory Organization's Statement on Burden on Competition
The NASD does not believe that the proposed rule change, as
amended, would result in any burden on competition that is not
necessary or appropriate in furtherance of the purposes of the Act.
C. Self-Regulatory Organization's Statement on Comments on the Proposed
Rule Change Received From Members, Participants, or Others
Written comments were received in response to Notice to Members 02-
23 (April 2002) and the Original Notice. The NASD received 32 comment
letters following publication of the Notice to Members. The NASD
received three comment letters in response to the Original Notice. In
response to these comment letters, the NASD identified the following
issues that warranted amendments and/or further clarification.
Categories of a Member's Business Continuity Plan
Proposed NASD Rule 3510(c) would state that the ``requirements of a
business continuity plan are flexible and may be tailored to the size
and needs of a member.'' The rule would require that each plan must, at
a minimum, address eight key categories.
These categories are: (1) Data back-up and recovery (hard copy and
electronic); (2) all mission critical systems; (3) financial and
operational assessments; (4) alternate communications between customers
and the member; (5) alternate communications between the member and its
employees; (6) business constituent, bank, and counter-party impact;
(7) regulatory reporting; and (8) communications with regulators.
In the Original Notice, the NASD stated that ``each member's
business continuity plan will only be required to address the eight
listed categories * * * to the extent applicable and necessary.'' One
commenter believed that NASD Rule 3510 should specifically state this
interpretation directly in the rule text. In response, the NASD in
Amendment No. 2 proposed to revise proposed Rule 3510(c) to include the
following statement:
Each member must address the above-listed categories to the extent
applicable and necessary to ensure the continuity of its business in
the event of a future significant business disruption. If any of the
above-listed categories is not applicable, the member's business
continuity plan need not address the category. The member's business
continuity plan, however, must document the rationale for not including
such category in its plan. If a member relies on another entity for any
one of the above-listed categories or any mission critical system, the
member's business continuity plan must address this relationship.
The NASD believes that this proposed language would ensure that
members understand that, if any of the categories are not applicable,
the member would still be required to document the rationale for not
including such category in its business continuity plan. For example,
if a member's books and records are kept at its clearing firm, the
member's plan would be required to address this fact as well as the
relationship with (including the identity of) the clearing firm.
Requirement To Update Business Continuity Plans
Proposed NASD Rule 3510(b) would require that each member conduct
an annual review of its business continuity plan to determine whether
any modifications are necessary in light of changes to the member's
operations, structure, business, or location. Some commenters believed
that the yearly review requirement was inadequate. Although commenters
cited different events that should trigger an update of a business
continuity plan, most commenters who dissented believed that plans
should be updated more frequently.
The NASD believes that, at a minimum, an annual review of the plan
is necessary. In response to member and industry comment, the NASD in
Amendment No. 1 revised the proposed rule language to expand upon this
requirement and include the following language:
Each member must update its plan in the event of any material change to
the member's operations, structure, business or location. Each member
also must conduct an annual review of its plan to determine whether any
modifications are necessary in light of changes to the member's
operations, structure, business or location.
This added language emphasizes that members must promptly update
their business continuity plans whenever there is a material change in
a member's operations, structure, business, or location that affects
the information set forth in the business continuity plan. This
requirement would be in addition to the yearly review requirement.
Business Constituent, Bank, and Counter-Party Impact
One of the categories that members' business continuity plans would
be required to address is ``business constituent, bank, and counter-
party impact.'' Commenters sought clarification of this category. The
NASD believes that, under this category, firms should have procedures
that assess the impact that a significant business disruption has on
business constituents (businesses with which a member firm has an on-
going commercial relationship pertaining to the support of the member's
operating activities), banks (lenders), and counter-parties (such as
other broker-dealers or institutional customers). In addition, the NASD
believes that members should provide for alternative actions or
arrangements with respect to their contractual relationships with
business constituents, banks, and counter-parties upon the occurrence
of a material business disruption to either party.
Category of Books and Records Back-Up and Recovery
One of the categories that members' business continuity plans must
address is ``books and records back-up and recovery (hard copy and
electronic).'' One commenter requested clarification of whether the
rule would create a requirement that members have both hard copy and
electronic books and records. While proposed NASD Rule 3510 refers to
the types of books and records that a firm might maintain, it does not
mandate that members keep book and records (and back-up books and
records) in both hard copy and electronic formats. To determine what
records (and in what format) firms must retain, members should refer to
Commission and NASD rules and interpretative materials specifically
addressing record retention requirements, such as Rule 17a-4 under the
Act \9\ and NASD Rule 3110.
---------------------------------------------------------------------------
\9\ 17 CFR 240.17a-4.
---------------------------------------------------------------------------
Application of Proposed Rule to Subsidiaries
In the Original Notice, the NASD stated that it believes that a
subsidiary member firm may satisfy its obligations under the proposed
rule by participating in a corporate-wide business continuity
[[Page 11435]]
plan of a parent corporation that addresses its subsidiary member
firms. As a result, a subsidiary member firm could rely on the
corporate-wide business continuity plan of its parent corporation,
regardless of whether the parent corporation is a member or non-member.
The Original Notice, however, stated that the parent corporation's
business continuity plan would have to comply fully with proposed NASD
Rule 3510 and address all requirements under the proposed rule. In
addition, it noted that the parent and subsidiary corporations would
both be required to comply with NASD rules on recordkeeping and
supervision for purposes of proposed NASD Rule 3510, and that the
parent corporation would be required to grant NASD access to its
business continuity plan upon request.
One commenter believed that it would not be appropriate to subject
non-member firms to these NASD requirements, nor would it be necessary.
The NASD, however, believes that, if a member chooses to participate in
a parent company's corporate-wide business continuity plan, the record-
keeping of that plan and any supervision of the creation, execution, or
updating of that plan must comply with NASD rules on record-keeping and
supervision. Participating in a corporate-wide business continuity plan
is merely an alternative and is intended to give firms greater
flexibility in complying with the proposed rule.
Senior Management Approval
The NASD is proposing to amend the text of proposed NASD Rule 3510
to include new subsection (d) to conform the NASD's proposed rule with
the NYSE's proposed business continuity rule.\10\ The NASD agrees with
the requirement set forth in the NYSE proposal that a member of senior
management and a registered principal should approve a member's
business continuity plan, including any updates to the plan, to ensure
that the creation and maintenance of any plan is reviewed and approved
by persons with appropriate expertise and seniority.
---------------------------------------------------------------------------
\10\ See Securities Exchange Act Release No. 46443 (August 30,
2002), 67 FR 57264 (September 9, 2002) (SR-NYSE-2002-35).
---------------------------------------------------------------------------
Emergency Contact Information
Proposed NASD Rule 3520 would require members to provide the NASD
with emergency contact information and update any information upon the
occurrence of a material change. One commenter suggested that the NASD
take a proactive role in gathering emergency contact information. As
stated in the Original Notice, the NASD believes that this duty should
lie with the member firm because the member will be best able to
identify when a material change has taken place. Nevertheless, the NASD
in Amendment No. 1 proposed to revise proposed Rule 3520(b) to require
members to promptly update any changes to their emergency contact
information. In addition, the NASD is eliminating the semi-annual
update requirement from the rule text. Rather, to be consistent with
other contact information required by the NASD and periodic updates
required by the NYSE, the NASD will issue future guidance on a periodic
update requirement. The NASD also is amending proposed NASD Rule
3520(a) to include the phrase ``[a]mong other things'' to emphasize
that the NASD is requiring other contact information in addition to
designating two emergency contact persons.
III. Date of Effectiveness of the Proposed Rule Change and Timing for
Commission Action
Within 35 days of the date of publication of this notice in the
Federal Register or within such longer period (i) as the Commission may
designate up to 90 days of such date if it finds such longer period to
be appropriate and publishes its reasons for so finding, or (ii) as to
which the self-regulatory organization consents, the Commission will:
(A) by order approve such proposed rule change; or
(B) institute proceedings to determine whether the proposed rule
change should be disapproved.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views, and
arguments concerning the foregoing, including whether the proposed rule
change, as amended, is consistent with the Act. Persons making written
submissions should file six copies thereof with the Secretary,
Securities and Exchange Commission, 450 Fifth Street, NW., Washington,
DC 20549-0609. Copies of the submission, all subsequent amendments, all
written statements with respect to the proposed rule change that are
filed with the Commission, and all written communications relating to
the proposed rule change between the Commission and any person, other
than those that may be withheld from the public in accordance with the
provisions of 5 U.S.C. 552, will be available for inspection and
copying in the Commission's Public Reference Room. Copies of such
filing will also be available for inspection and copying at the
principal office of the NASD. All submissions should refer to File No.
SR-NASD-2002-108 and should be submitted by March 31, 2003.
For the Commission, by the Division of Market Regulation,
pursuant to delegated authority.\11\
---------------------------------------------------------------------------
\11\ 17 CFR 200.3-3(a)(12).
---------------------------------------------------------------------------
Margaret H. McFarland,
Deputy Secretary.
[FR Doc. 03-5601 Filed 3-7-03; 8:45 am]
BILLING CODE 8010-01-P